tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antony Bowesman <>
Subject Re: Programmatic security with servlet mappings in tomcat
Date Tue, 03 Jul 2001 12:54:30 GMT
pete wrote:
> Sure, one is that i want custom login screens, another is that
> we store all our authentication details centrally and query for
> them via an XML data service.
> Various user and domain-specific data, including user preferences,
> roles etc. is stored in this repository, not just 'yes, this user
> has blanket access to the site'.

You mean custom login screens per JSP?  We had the same issue about how
to protect the site and eventually went for getting the container to
handle the security.  Now we have optionally different login screens for
different webapps and a tomcat realm that authenticates users against a
user repository running in an EJB container.  Permissions are then
checked using JAAS and realm loads groups,roles etc from the user realm
into the JAAS context.

In addition J2EE roles are also mapped from roles in the user realm so
we can use J2EE security and roles are dynamic rather than having to
redeploy apps.

We opted against the JSP approach because it means that the onus was on
the developer to think about security :))  At least from the
presentation point of view, but for the business logic there has to be
some thought...


> Our permissions-management tools are all written to work with this,
> so i have an existing system i must fit my tomcat-based solutions
> into here.
> I do use tomcat's basic authentication facilities for some unrelated
> services, but for us it makes a lot of sense to centralize
> authentication and preference data this way.
> If someone writes an app that doesn't protect the page? well, then
> the page is unprotected.
> Security never comes completely for 'free', and in my experience
> it is beneficial to place some onus on the developer to at least
> think about security during the course of development.
> YMMV, of course, but this approach has worked well for us.
> -Pete
> > Pete,
> >
> >
> > Interesting that you don't use the container's authentication mechanism
> > to protect pages.  What if someone writes an app that doesn't protect
> > the page.  Any reason why you chose this route?
> >
> > Rgds
> > Antony

View raw message